LOAD DATA LOCAL INFILE在phpmyadmin4.0.10版本后的应用

LOAD DATA LOCAL INFILE

很早之前就出现的问题了，文章中不会过多的复述相关知识，谷歌关键词搜索“mysql 客户端任意文件读取”。

介绍

# 简单来了解一下官方文档吧。

The LOAD DATA statement can load a file located on the server host, or, if the LOCAL keyword is specified, on the client host.

There are two potential security issues with the LOCAL version of LOAD DATA:

1. The transfer of the file from the client host to the server host is initiated by the MySQL server. In theory, a patched server could be built that would 
tell the client program to transfer a file of the server's choosing rather than the file named by the client in the LOAD DATA statement. Such a server could
access any file on the client host to which the client user has read access. (A patched server could in fact reply with a file-transfer request to any 
statement, not just LOAD DATA LOCAL, so a more fundamental issue is that clients should not connect to untrusted servers.)

2. In a Web environment where the clients are connecting from a Web server, a user could use LOAD DATA LOCAL to read any files that the Web server process 
has read access to (assuming that a user could run any statement against the SQL server). In this environment, the client with respect to the MySQL server 
actually is the Web server, not a remote program being run by users who connect to the Web server.

重点看这两个潜在的安全问题，简单来说就是：

利用该语句可以访问客户端用户具有读取访问权限的客户端主机上的任何文件。
在客户端是从web服务器进行连接的web环境中（例如：phpmyadmin），利用该语句可以读取Web服务器进程具有读取权限的任何文件。

文档中也有解释，在web充当客户端这种web环境中，相对于mysql服务器的客户端是web服务器。说的再简单一些，利用load data local infile读取文件的权限，等同于你php的权限（php为后端语言的情况），php能读/etc/passwd那用改语句也可以读。因此就产生了两个利用条件：

php.ini：open_basedir
my.ini：local_infile = 1

mysql客户端中的利用

LOAD DATA LOCAL INFILE在phpmyadmin4.0.10版本后的应用

可以看到默认secure_file_priv的value是NULL，需要我们手动去改才能使用load data infile，但是加了local后可以直接读文件，并不受这个限制。

phpmyadmin中的问题

环境为phpmyadmin5.0.1，官方最新版了吧

可以看到，插入了0行。同样是root，同样是使用了local，php也并没有设置open_basedir，很好奇为什么读不到数据。问了同事他说也没遇到过，同事通过查看phpmyadmin的源代码告诉我可以绕过（感谢我老铁的帮助Orz），同时我在phpmyadmin的官方github commit中找到了问题。